Virtual Secure Mode (VSM) in Windows 10 Enterprise

In Windows 10 Enterprise (only in this edition), a new Hyper-V component has appeared – VirtualSecureMode (VSM). VSM is a protected container (virtual machine) run on a hypervisor and separated from host Windows 10 host and its kernel. Crucial from the security point of view system components run inside this protected virtual container. No third-party code can be executed in the VSM, and code integrity is constantly checked for modification. This architecture allows to protect data in the VSM, even if the kernel of the host Widows 10 is compromised, because even the kernel cannot access the VSM directly.

VSM container cannot be connected to the network and nobody can get administrative privileges in it. Encryption keys, user authentication data and other crucial information from the compromise point of view can be stored in Virtual Secure Mode container. Thus, a hacker won’t be able to penetrate the corporate structure using locally cached data of the domain user accounts.

The following system components can work inside the VSM:

LSASS (Local Security Subsystem Service) is a component responsible for authentication and isolation of local users. (Thus, the system is protected from the attacks of “pass the hash” type and such tools, like mimikatz –link1, link2.) It means that the passwords (and/or hashes) of user registered in the system cannot become available even for a user with local administrator privileges.